CO639 Cryptography: Implementation Security in PHP

1
CO639Cryptography ImplementationSecurity in PHP

• Gareth Owen

2
Overview

• Cryptography in PHP
• Security in PHP
• OpenSSL PHP

3
Cryptography in PHP why?

• Authenticate remote hosts without sharing
  passwords
• Avoid storage of passwords
• Sign transactions or business XML documents
• Verify audit trails havent been tampered with

4
PHP cryptography functions

• PHP mostly provides hashing functions
• ciphertext md5(original)
• ciphertext sha1(original)
• ciphertext crypt(original)
• Also provides OpenSSL functions
• Using Certificates to sign, encrypt, decrypt etc.
• Can add more functionality with add-ons
• AES, Blowfish, RSA, Diffie-Helman

5
Securing passwords

• Need a login system for our users
• Create a table in MySQL, columns
• id, username, password
• When user logins, just look for row that matches
  username and password.
• Security issues
• User/pass transmitted as cleartext
• If database server compromised all users
  passwords exposed.

6
Securing passwords

• Passwords transmitted in clear-text
• We should use SSL, even if it is only for the
  login bit
• Hotmail and Facebook do it this way.
• Database compromised damage limitation.
• Take a hash of passwords. When user sets their
  password, store
• store sha1(passwd)
• A hash not able to turn this back into password

7
Securing passwords

• MySQL also provides hashing functions
• Doesnt really matter where we hash the password
• SELECT user, pass FROM users WHERE username
  xxx and pass SHA1(xxx)
• INSERT INTO users (user, pass) VALUES
  (username, SHA1(password))

8
Securing passwords

• How do we verify someone has logged in OK?
• result mysql_query(SELECT user, pass FROM
  users WHERE username user and pass
  SHA1(pass)
• count mysql_num_rows(result)
• if(count 0) echo success
• else echo failure

9
Beware of security vulnerabilities

• If we run that last query, and user enters their
  password as or
• Query results in
• SELECT user,pass FROM users where usernamebob
  and pass or
• This is an SQL injection attack. Would no longer
  require a valid password.

10
Preventing SQL injection

• Verifying what user typed in is EXACTLY what was
  expected
• safe mysql_real_escape_string(input)
• Turns into \
• Turns into \
• Result
• SELECT user,pass FROM users where usernamebob
  and pass\ or \\\

11
Redoing our login check

• user mysql_real_escape_string(_GETuser)
• pass mysql_real_escape_string(_GETpass)
• result mysql_query(SELECT user, pass FROM
  users WHERE username user and pass
  SHA1(pass)
• count mysql_num_rows(result)
• if(count 0) echo success
• else echo failure

12
Other things to note

• Not all inputs are strings, so mysql_real_escape_s
  tring() wont work.
• Some inputs are numbers e.g. price.
• So we need to verify it is infact a number and
  contains no spaces or other characters
• if(is_numeric(_GETprice))
• price _GETprice

13
Lets look at encrypting stuff

• Two ways
• Symmetric
• AES, RC4, Blowfish, DES, etc
• Needs a key that both sides know
• Used for encrypting large things (faster)
• Asymmetric
• RSA, Diffe-Helman
• Needs two keys, one encrypts the other decrypts.
• Computationally intensive
• Certificates contain the keys

14
OpenSSL in PHP

• Mostly provides asymmetric encryption for us
  although hybrid encryption is used for the
  functions we show later.
• What might we use it for?
• Signing log entries (later in semester), XML
  business transactions, encrypting database
  content, etc.
• Securing transmissions for web services that
  dont use HTTPS

15
OpenSSL functions

• openssl_seal()
• openssl_open()
• openssl_sign()
• openssl_verify()
• Not particularly well documented
• Accept certificates in PEM format

16
Certificates

• Certificate files are often text files.
• mine.key
• Private key
• mine.cert
• Public certificate
• mine.pem
• Both public and private key, files just
  concatenated together

17
Getting the keys

• Assume certificate file mycert.pem
• Need to load the certificate into memory first
• cert file_get_contents(mycert.pem)

18
Storing Credit Card information

• Shouldnt store credit card information
• What happens if our database server is
  compromised?
• Many examples in the news!
• Bad PR!
• If were someone like Paypal, our users need the
  convenience
• Encrypt credit card information
• But, if they compromised our web server and
  database server
• They can look on one for the encryption key.

19
Storing Credit Card information

• Asymmetric cryptography to the rescue.
• We can store public encryption key on web server.
• Encrypt all credit card info, then put into
  database.
• Decryption/private key is _only_ stored on
  despatch system/order processing system.
• Ideally firewalled from any outside access.
• Can only download data from web server/database
  server

20
OpenSSL in PHP Encrypting
OUT
Public Key
Asymmetric Encryption
Encrypted Session/Envelope Key
Private Key
CipherText (
Symmetric Encryption
Session/Envelope key
Message Im a lumberjack and Im OK.
21
OpenSSL

• openssl_seal(data, ciphertext,
• envKeys, recips)
• data data to be encrypted
• ciphertext result is put into this variable
• envKeys envelope keys put into here (array)
• recips array of recipients public keys

22
OpenSSL

• openssl_open(ciphertext, data,
• envKey, privKey)
• ciphertext encrypted data
• data result put in here
• envKey envelope key
• privKey private key to decrypt data

23
Using OpenSSL in PHP

• cert file_get_contents("mycert.pem")
• public openssl_get_publickey(cert)
• private openssl_get_privatekey(cert)
• data "I'm a lumberjack and I'm okay."
• echo "Data before data\n"
• openssl_seal(data, cipher, e, array(public))
• echo "Ciphertext cipher\n"
• openssl_open(cipher, open, e0, private)
• echo "Decrypted open\n"

24
Encrypting credit card info

• cc_no 6759..
• expno 0711
• cvc 781
• holder Billy Joe
• Concatenate together
• ccinfo ccno,expno,cvc,holder

25
Encrypting the data into the database

• ccinfo ccno,expno,cvc,holder
• cert file_get_contents("mycert.pem")
• public openssl_get_publickey(cert)
• openssl_seal(ccinfo, cipher, e,
  array(public))
• dbccinfo base64_encode(cipher)
• dbkey base64_encode(e0)
• INSERT INTO customer (ccinfo, key) VALUES
  (dbccinfo, dbkey)

26
Other ideas

• Dont store credit card numbers at all if
  possible
• Only store part of the number, requiring the user
  to enter the last part each time.
• Require entry of CVC code each time
• Not for hardcore security though.

27
OpenSSL in PHP Signing
OUT
Public Key
Asymmetric Encryption
Signature
Private Key
SHA1(Message)
Message Im a lumberjack and Im OK.
28
Signing in PHP

• openssl_sign(data, signature, privKey)
• data data to be signed, e.g. XML document
• signature the signature for the data
• privKey private key to use for signing

29
Signing in PHP

• openssl_verify(data, signature, pubKey)
• data data that was signed, e.g. XML document
• signature the signature for the data
• pubKey public key to used for signing
• Returns 1 verified, 0 signature wrong, -1
  other error

30
Conclusion

• Hash passwords
• Beaware of any form of injection attack
• Validate everything the user sends you carefully
• E.g. negative quantities, sql injection, numbers
  etc.
• Encrypt credit card details incase of database
  compromise
• Avoid storing credit card details if at all
  possible
• Use OpenSSL for asymmetric encryption/decryption,
  and signing.

31
Weekly task

• Generate a public/private key pair certificate
• Write a page which allows users to enter a block
  of text
• Allow them to hit encrypt and provide them with
  the ciphertext and envelope key
• Write corresponding decrypt page
• You will need to investigate base 64 encoding